<div dir="ltr"><div><div>Prepared Statements are the current state of the art. Slashes and html entities are not really used in modern PHP any more.<br><br><a href="http://www.w3schools.com/php/php_mysql_prepared_statements.asp">http://www.w3schools.com/php/php_mysql_prepared_statements.asp</a><br><br></div>You should also use mod_security in Apache if that is your webserver.<br><br><a href="https://www.howtoforge.com/apache_mod_security">https://www.howtoforge.com/apache_mod_security</a><br><br></div>You should also have an idea of what you plan to accept as input goes. A phone number doesn't need letters or symbols. A name doesn't need symbols. You should perform multiple layers or checking before passing on data from a user. If you have an input for names but they are putting in a ! symbol, you should kick out their input or verify that a Mr. Kickass!! $$CatKisser$$ is using your form.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 14, 2016 at 7:11 AM, Keith Smith <span dir="ltr"><<a href="mailto:techlists@phpcoderusa.com" target="_blank">techlists@phpcoderusa.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
I think this is a great opportunity to talk about sanitizing one's data before sending it to the DB.<br>
<br>
There is two very easy things one can do if programming in PHP.<br>
<br>
1) Addslashes - Returns a string with backslashes before characters that need to be escaped. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).<br>
<br>
2) htmlentities — Convert all applicable characters to HTML entities - this will convert any semicolons not enclosed in quotes into it's html entity.<br>
<br>
<a href="http://php.net/manual/en/security.database.sql-injection.php" rel="noreferrer" target="_blank">http://php.net/manual/en/secur<wbr>ity.database.sql-injection.php</a><br>
<br>
Little Bobby Tables : <a href="http://php.net/manual/en/images/fa7c5b5f326e3c4a6cc9db19e7edbaf0-xkcd-bobby-tables.png" rel="noreferrer" target="_blank">http://php.net/manual/en/image<wbr>s/fa7c5b5f326e3c4a6cc9db19e7ed<wbr>baf0-xkcd-bobby-tables.png</a><br>
<br>
I do not profess to be an expert in this area. I spent a lot of time looking into this about 10 years ago and still feel like I need to know more. I'm always eager to learn more in this area.<br>
<br>
Please add your thoughts?<br>
<br>
Thanks!!<br>
Keith<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
<br>
<br>
On 2016-09-14 01:41, der.hans wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Am 14. Sep, 2016 schwätzte Herminio Hernandez, Jr. so:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Should I be consern even if my SQL server is only listening on localhost?<br>
</blockquote>
<br>
Depends on what you have using it.<br>
<br>
If it's the DB for a web site, then it's possible that SQL injection can<br>
be used to modify your database.<br>
<br>
For instance, WordPress has lots of security issues, so it likely can be<br>
exploited to use SQL injection to talk to your DB.<br>
<br>
ciao,<br>
<br>
der.hans<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mon, Sep 12, 2016 at 1:29 PM, Joseph Sinclair <<a href="mailto:plug-discussion@stcaz.net" target="_blank">plug-discussion@stcaz.net</a>><br>
wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
FYI, minor improvement below to lock down a few edge cases (note, this is<br>
primarily for EXT{2,3,4} and other filesystems that support file<br>
attributes).<br>
You'll also need to remove the attribute manually before updating when<br>
patches become available.<br>
<br>
On 09/12/2016 12:33 PM, der.hans wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:<br>
<br>
moin moin,<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Basically they mirror the repos. So when it hits debian I will upgrade.<br>
</blockquote>
<br>
Ah, OK.<br>
<br>
You might also want to create a couple of empty files and lock them down.<br>
<br>
$datadir can be exploited, so pre-emptively putting empty conf files in<br>
there that can't be changed by mysql is a good idea.<br>
<br>
The following is for anyone with questions on locking down the config<br>
files in $datadir.<br>
<br>
Presuming $datadir is /var/lib/mysql either of the following will lock<br>
down the files when run as root, but the first will destroy files you<br>
might already have.<br>
<br>
# >/var/lib/mysq/my.cnf<br>
# >/var/lib/mysq/.my.cnf<br>
# chmod 000 /var/lib/mysq/{.,}my.cnf<br>
</blockquote>
# chattr +i /var/lib/mysq/{.,}my.cnf<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Or, with some minimal verification that it's safe...<br>
<br>
# for file in /var/lib/mysq/{.,}my.cnf; do<br>
if [ ! -e $file ] ; then<br>
>$file<br>
chmod 000 $file<br>
</blockquote>
chattr +i $file<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
ls -l $file<br>
</blockquote>
lsattr $file<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
else<br>
ls -l $file<br>
</blockquote>
lsattr $file<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
echo "You might want to check on that"<br>
fi<br>
done<br>
<br>
ciao,<br>
<br>
der.hans<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sent from my iPhone<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Sep 12, 2016, at 12:00 PM, der.hans <PLUGd@LuftHans.com> wrote:<br>
<br>
Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:<br>
<br>
moin moin,<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks have some SQL in DO droplets. Will be looking for this.<br>
</blockquote>
<br>
Will DigitalOcean automagically apply the patches for you?<br>
<br>
I would expect it's in their best interest.<br>
<br>
I'm certain DreamHost is already upgraded. GoDaddy is probably rolling<br>
</blockquote></blockquote></blockquote>
it<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
out already, but I no longer know anyone on the team over there, so am<br>
</blockquote></blockquote></blockquote>
not<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
sure how quick they will be.<br>
<br>
This is admittedly one of the advantages of cloud. The infrastructure<br>
providers can centrally test and roll out for everyone. The<br>
</blockquote></blockquote></blockquote>
disadvantage<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
is if it's something that affects you, but they don't know or care<br>
</blockquote></blockquote></blockquote>
about<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
it :).<br>
<br>
ciao,<br>
<br>
der.hans<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sent from my iPhone<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Sep 12, 2016, at 11:18 AM, der.hans <PLUGd@LuftHans.com> wrote:<br>
<br>
moin moin,<br>
<br>
a MySQL remote exploit was announced this morning. Percona and<br>
</blockquote></blockquote></blockquote></blockquote></blockquote>
MariaDB<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
already have fixes that have not yet hit the distros.<br>
<br>
<a href="https://www.percona.com/blog/2016/09/12/percona-server-" rel="noreferrer" target="_blank">https://www.percona.com/blog/2<wbr>016/09/12/percona-server-</a><br>
</blockquote></blockquote></blockquote></blockquote></blockquote>
critical-update-cve-2016-6662<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<a href="http://legalhackers.com/advisories/MySQL-Exploit-" rel="noreferrer" target="_blank">http://legalhackers.com/adviso<wbr>ries/MySQL-Exploit-</a><br>
</blockquote></blockquote></blockquote></blockquote></blockquote>
Remote-Root-Code-Execution-Pri<wbr>vesc-CVE-2016-6662.html<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Watch for updates.<br>
<br>
ciao,<br>
<br>
der.hans<br>
--<br>
# <a href="http://www.LuftHans.com/" rel="noreferrer" target="_blank">http://www.LuftHans.com/</a> <a href="http://www.PhxLinux.org/" rel="noreferrer" target="_blank">http://www.PhxLinux.org/</a><br>
# Fairy Tale, n.: A horror story to prepare children for the<br>
</blockquote></blockquote></blockquote></blockquote></blockquote>
newspapers.<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
<br>
--<br>
# <a href="http://www.LuftHans.com/" rel="noreferrer" target="_blank">http://www.LuftHans.com/</a> <a href="http://www.PhxLinux.org/" rel="noreferrer" target="_blank">http://www.PhxLinux.org/</a><br>
# "You go to Afghanistan and you swallow enough dust that you'll pass<br>
</blockquote></blockquote></blockquote>
an<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
# adobe brick." -- Robin Williams, 03Aug2006<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
<br>
<br>
<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
<br>
</blockquote>
<br>
<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
<br>
</blockquote>
<br>
</blockquote>
<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
<br>
-- <br></div></div><span class="HOEnZb"><font color="#888888">
Keith Smith</font></span><div class="HOEnZb"><div class="h5"><br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></div></div></blockquote></div><br></div>